logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2025-53535 better-auth

Package

Manager: npm
Name: better-auth
Vulnerable Version: >=0 <1.2.10

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS: 0.00088 pctl0.26073

Details

Better Auth Open Redirect Vulnerability in originCheck Middleware Affects Multiple Routes ### Summary An open redirect has been found in the `originCheck` middleware function, which affects the following routes: `/verify-email`, `/reset-password/:token`, `/delete-user/callback`, `/magic-link/verify`, `/oauth-proxy-callback`. ### Details In the `matchesPattern` function, `url.startsWith(` can be deceived with a `url` that starts with one of the `trustedOrigins`. ```jsx const matchesPattern = (url: string, pattern: string): boolean => { if (url.startsWith("/")) { return false; } if (pattern.includes("*")) { return wildcardMatch(pattern)(getHost(url)); } return url.startsWith(pattern); }; ``` ### Open Redirect PoCs ```jsx export const auth = betterAuth({ baseURL: 'http://localhost:3000', trustedOrigins: [ "http://trusted.com" ], emailAndPassword: { ... }, }) ``` #### `/reset-password/:token` <img width="481" alt="image" src="https://github.com/user-attachments/assets/46e7871a-1dad-4375-af94-0446e29aaab6" /> <br/> <img width="518" alt="image 1" src="https://github.com/user-attachments/assets/83abfb53-6fc9-4d1f-918d-9b4ce093c808" /> #### `/verify-email` <img width="549" alt="image" src="https://github.com/user-attachments/assets/7dd424b7-42a4-4616-aa73-fcc2e3eeb309" /> <br/> <img width="436" alt="image" src="https://github.com/user-attachments/assets/54f11636-0a3e-4e83-9a09-57c5e8ba98cd" /> #### `/delete-user/callback` <img width="545" alt="image" src="https://github.com/user-attachments/assets/2ff1b217-d069-48fb-81c1-f8c8792d34a4" /> <br/> <img width="492" alt="image" src="https://github.com/user-attachments/assets/71df11db-9d38-4f34-abe1-add9d60b3486" /> #### `/magic-link/verify` <img width="379" alt="image" src="https://github.com/user-attachments/assets/6b6b6a8a-59b6-4a65-9df3-57d5b2f6eb0f" /> <br/> <img width="413" alt="image" src="https://github.com/user-attachments/assets/82a5c9c6-2ea0-44eb-af48-40732657b59e" /> #### `/oauth-proxy-callback` <img width="548" alt="image" src="https://github.com/user-attachments/assets/d8d2ee51-e9fd-4337-bec3-a70afd1ceacb" /> <br/> <img width="544" alt="image" src="https://github.com/user-attachments/assets/f097d406-b965-4f85-b124-9b0ef1cc2689" /> ### Impact Untrusted open redirects in various routes.

Metadata

Created: 2025-07-07T22:13:14Z
Modified: 2025-07-07T22:13:14Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-36rg-gfq2-3h56/GHSA-36rg-gfq2-3h56.json
CWE IDs: ["CWE-601"]
Alternative ID: GHSA-36rg-gfq2-3h56
Finding: F007
Auto approve: 1